Full Report
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned six individuals and two entities for their involvement in the Democratic People's Republic of Korea (DPRK) information technology (IT) worker scheme with an aim to defraud U.S. businesses and generate illicit revenue for the regime to fund its weapons of mass destruction (WMD) programs. "The North Korean
Analysis Summary
# Threat Actor: Jasper Sleet (DPRK IT Worker Network)
## Attribution & Identity
* **Primary Identity:** North Korean (DPRK) IT Worker Network.
* **Aliases:** Coral Sleet, Jasper Sleet, PurpleDelta, Wagemole.
* **Known Associations:** Subgroup of the **Lazarus Group** (specifically linked to the "Contagious Interview" campaign).
* **Sanctioned Entities:**
* Amnokgang Technology Development Company.
* Quangvietdnbg International Services Company Limited.
* **Sanctioned Individuals:**
* Nguyen Quang Viet (CEO of Quangvietdnbg).
* Do Phi Khanh (Proxy/launderer).
* Hoang Van Nguyen (Financial facilitator).
* Yun Song Guk (Manager of IT worker delegation).
* Hoang Minh Quang (Financial facilitator).
* York Louis Celestino Herrera (Contract developer).
## Activity Summary
The North Korean regime utilizes overseas IT operatives to bypass international sanctions and generate revenue for its Weapons of Mass Destruction (WMD) and missile programs. These workers infiltrate U.S. and global businesses by posing as legitimate remote freelance developers. Recent activities involve large-scale currency conversion (approx. $2.5 million via cryptocurrency) and failed infiltration attempts at organizations seeking Salesforce data management.
## Tactics, Techniques & Procedures
* **Identity Deception:** Use of stolen identities, fabricated personas, and forged documentation to land remote jobs.
* **Geographic Masking:** Utilizing **Astrill VPN** to tunnel traffic through U.S.-based exit nodes to hide physical locations in China or Laos.
* **AI Augmentation:** Use of Artificial Intelligence to enhance identity fabrication and persona development.
* **Social Engineering:** Responding to "help wanted" ads and participating in "Contagious Interview" schemes to gain access to corporate environments.
* **Data Exfiltration & Extortion:** Deploying malware to steal proprietary data and demanding ransoms to prevent public leaks.
* **Financial Laundering:** Funneling salaries through proxies and converting fiat currency to cryptocurrency through third-party companies.
## Targeting
* **Sectors:** Technology, Software Development (specifically Salesforce/Data management), Defense, and Commercial sectors.
* **Geography:** Primary targets in the **United States**; operational bases in **China (Boten)**, **Vietnam**, and **Laos**.
* **Victims:** Legitimate U.S. businesses and international companies hiring remote freelancers.
## Tools & Infrastructure
* **VPN Services:** Astrill VPN (specifically used to bypass the Great Firewall of China).
* **Malware:** Unspecified malware used for sensitive data theft and extortion.
* **Payment Infrastructure:** Bank accounts opened via proxies (Do Phi Khanh, Hoang Van Nguyen) and cryptocurrency conversion services.
## Implications
The DPRK IT worker scheme represents a significant dual threat: financial loss via fraudulent wages and high-level insider threat risks. These workers provide the North Korean regime with a steady stream of hard currency and potential "backdoor" access to sensitive corporate networks, which can be weaponized for espionage or state-sponsored extortion.
## Mitigations
* **Identity Verification:** Implement rigorous background checks and multi-factor authentication that includes physical hardware security keys.
* **Geolocation Monitoring:** Monitor for consistent logins from VPN exit nodes or suspicious geographic shifts (e.g., workers hired for U.S. roles consistently appearing via Chinese infrastructure).
* **Interview Integrity:** Use video interviews and specialized technical assessments to verify that the person hired matches the identity and skill level provided.
* **Zero Trust Architecture:** Limit remote worker access strictly to the resources required for their specific tasks to prevent lateral movement.
* **Financial Scrutiny:** Review payroll accounts for names or entities flagged by OFAC or associated with known laundering proxies.